LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-25524

CVE-2026-25524 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: April 20, 2026

Magento Long Term Support - Remote Code Execution

Published: April 20, 2026Updated: April 20, 2026Remote Exploitable

Overview

Magento Long Term Support (LTS) < 20.17.0 contains an insecure deserialization vulnerability caused by unsafe use of PHP functions with phar:// stream wrapper paths during image validation, letting attackers achieve arbitrary code execution by uploading malicious phar files.

Severity & Score

Severity: High
CVSS Score: 8.1
EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary code remotely by uploading malicious phar files disguised as images.

Mitigation

Upgrade to version 20.17.0 or later.

References

Social Media Activity(4 posts)

TheHackerWire
TheHackerWire
@thehackerwire
Apr 20, 2026

šŸŸ  CVE-2026-25524 - High (8.1) Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, PHP functions such as `g... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-25524/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Apr 20, 2026

šŸŸ  CVE-2026-25524 - High (8.1) Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, PHP functions such as `g... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-25524/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Apr 20, 2026

šŸŸ  CVE-2026-25524 - High (8.1) Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, PHP functions such as `g... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-25524/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Apr 20, 2026

šŸŸ  CVE-2026-25524 - High (8.1) Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, PHP functions such as `g... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-25524/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-25524
Severity
High
CVSS Score
8.1
Type
insecure_deserialization
Status
unconfirmed
EPSS
0.0%
Social Posts
4

CWE

  • CWE-502

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

0.0%Probability of exploitation in the next 30 days